Hey @slodge !! So sorry for the delay getting back to you here!
You are spot on, the manifest.json is way overkill in the information / detail that it tracks about files and such. Although we are thinking about and planning to add a way to exclude files at some point, you are exactly right - at present, the Connect deployment mechanism is very git-based (new commits trigger new deployments) and very naive (it includes all files in the directory).
There are several reasons for this. At its simplest, many of the error states you can run into by basing things off of just the manifest, or by depending on hash values inside the manifest, turn out to be very painful for users. Our hope with the current implementation is that it strikes the balance between reproducibility and good UX, with the downside that it is possible to deploy old manifests (i.e. if you forget to update it) and lose reproducibility that way.
For that case, we usually recommend building a pre-commit hook or something of that nature (i.e. a more recent discussion with a similar aim here: Github Action for `rsconnect::writeManifest`) to either warn / error / or generate the manifest for you.
I'm curious to hear how things have progressed since you wrote this message (6 MONTHS AGO!? Where does time go!?) and if this fits your needs or if you have any additional questions / feedback!